Chosen-ciphertext attack on noncommutative 

Polly Cracker 

S.Bulygin 
February 1, 2008 

1 Noncommutative Polly Cracker and prelimi- 
naries from noncommutative algebra 

The noncommutative Polly Cracker cryptosystems were developed by T.Rai in 
his Ph.D. dissertation ([1]), and rely on the fact that there are ideals of noncom- 
mutative algebras over finite fields that have infinite reduced Groebner bases. 

First let us briefly present notations that will be used further in the text. 
Everything in this section is based on [l].We will be working with a noncom- 
mutative algebra ¥ q < X >, where X = {x%, . . . , x n }, which is an algebra of 
noncommutative polynomials. By a monomial, we mean a finite noncommuta- 
tive word in the alphabet X. We use the letter B to denote the set of monomials. 
We define multiplication in the set B of monomials by concatenation. The next 
important thing is the notion of an admissible ordering. A well-ordering > on B 
is said to be admissible if it satisfies the following conditions for all p, q, r, s e B: 

• if p < q then pr < qr; 

• if p < q then sp < sq ; 

• if p = qr then p > q and p > r. 

Let > be an admissible ordering on the monomials and / G ¥ q < X >. We 
say that a monomial bi occurs in / if the coefficient of bi in / = ^ ctibi is not 
zero. We say that bi is the tip of /, denoted tip(f), if b t occurs in / and bi > bj 
for all bj occurring in /. We denote the coefficient of tip(f) by Ctip(f). If 
S Q ¥ q < X >, then we write Tip(S) — {b e B : b = tip(f) for some nonzero 
/ e S} and NonTip(S) = B- Tip(S). 

Another thing we need is the notion of division of a polynomial g € ¥ q < X > 
by polynomials fx, . . . , /& € F g < X >. To perform such a division means to 
find nonnegative integers ii,i2, •• ■ ,tk and elements Uij,Vij,r 6 ¥ q < X >, for 
1 < i < k and 1 < j < i; such that: 

E<Li Efci UijfiVij + r; 



tip(g) ^ tip{uij fiVij) for all i and j; 
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• tip(fi) does not divide any monomial that occurs in r, for 1 < i < k. 

Note that if r ^ 0, then tip(r) < tip(g); r is the remainder of the division. 

On notions of a Groebner basis in noncommutative case cf . [1] . 

Now we present the noncommutative Polly Cracker from [1]. It can be sum- 
marized as follows. 

Private Key: A Groebner basis, G — {<7i, #2, ■ ■ ■ ,9t\ for a two-sided ideal, 
/, of a noncommutative algebra ¥ q < X > over a finite field of q elements. 

Public Key: A set, B = {q r : q r = Y?i=i Z)j=i fnjgih r ij} s r=1 C I, chosen so 
that computing a Groebner basis of < B > is infeasible. 

Message Space: M — NonTip(I) or a subset of NonTip(I). 

Encryption: c = p+m, where m G M is a message andp = J2t=i Ej=i FijQiHij 
is a polynomial in J =< B >C /. 

Decryption: Reduction of c modulo G yields the message, to. 

Note that for practical reasons T.Rai proposes to use G containing only one 
element g. 

2 Cryptanalysis of noncommutative Polly Cracker 

In [3] and [4] it was shown that (commutative) Polly Cracker (first proposed in 
[2]) and its various modifications are susceptible to chosen ciphertext attacks. 
We will now show that noncommutative Polly Cracker is also susceptible to a 
chosen-ciphertext attack. In fact, we will only need one "fake" ciphertext in 
order to be able to decrypt all further ciphertexts correctly. In the following 
we assume that we know the form of g (e.g. g — axy + (3x + + 5, where 
a, /3, 7, S G Fq, cf. for example section 5.1.3 of [1]). 

The main idea relies on the following observation. Let I =< g >, and 
consider tip(g). We have: 

tip(g) = Ctip(g)~ 1 g - Ctip{g)~ 1 ■ tail(g), 

where tail(g) = g — Ctip(g) ■ tip(g). Note, that tip(g) does not divide any 
monomial in tail(g). This means that —Ctip(g)^ 1 ■ tail(g) is the remainder of 
division of tip(g) by g, or equivalcntly, it is the result of decryption of the "fake" 
ciphertext tip(g). 

Now, let us go on to the chosen-ciphertext attack itself. Let us construct a 
"fake" ciphertext c' — t- tip(g) ■ s + FijqiBij , where t, s G ¥ q < X > are such 
that any monomial of t ■ tail(g) ■ s is not divisible by tip(g). Polynomials t and s 
are chosen for masking the "fake" ciphertext and, in principle, can be dropped 
out. We have: 

t • tip(g) ■ s = Ctip(g)^ 1 t ■ g ■ s — Ctip(g)^ 1 t ■ tail(g) ■ s, 

and using this latter assumption we obtain that ~Ctip(g)~ 1 t ■ tail(g) ■ s is the 
remainder of division of t ■ tip(g) ■ s by g, and thus this is the remainder of 
division of d by g (as J2 FijQiHij reduces to modulo G = {g})- 
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A next simple example shows that requirements on t and s can be easily sat- 
isfied. For instance, let us take g = x\ ■ . . . -xq + CiXi + . . . + c$xq + co, cq,. .. ,cq € 
F g \ {0} as in section 5.1.2 of [1]. Then tail(g) = C\X\ + . . . + c 6 .t 6 + c (under 
any admissible ordering) and we can take t :— x^x^ + x<ix-&x% + XiX\x§;s := 
X5X1X3 + XQX2X4. One easily sees that no monomial of t • tail(g) ■ s is divisible 
by tip(g) = x\ ■ . . . ■ xq. It is also clear that many more variants of t and s can 
be proposed. 

So, going back to our construction we see that if we send a "ciphertext" 
c', we obtain a "plaintext" p' = —Ctip{g)~ 1 t ■ tail(g) ■ s. We know t and 
s, so we can easily deduce —Ctip(g)^ 1 ■ tail(g) from p'. Now construct g' = 
tip(g) + Ctip(g)^ 1 ■ tail(g). We have Ctip(g) ■ g' = g, so I =< g >=< g' >, and 
thus we can use g' in order to decrypt ciphertexts to correct plaintexts, which is 
equivalent to knowing the private key G — {g}. Indeed, if for a ciphertext c we 
had c = g\ ■ g ■ gi + r, where r is the remainder, then for the same ciphertext we 
have c = Ctip(g)g\ ■ g' ■ gi + r, where r is again the remainder, and it coincides 
with the remainder of division of c by the initial g. 

For even more confusion for decrypting system we may send "fake" cipher- 
text of the form c" = c' + h, where d is as above, and h G ¥ q < X >, such 
that tip(g) does not divide any monomial in h. Note that such polynomials h 
"incorporate" monomials from NonTip(I), i.e. valid messages. A "plaintext" 
corresponding to c" will be p' + h, which again gives rise to g' as above. So, 
in our attack the "fake" ciphertext c" contains either monomials divisible by 
tip(g) and non-divisible. In addition, we note that the variety of such c"'s is 
very broad. 

All considerations above imply that using private G = {g} can be claimed 
as insecure. Note that right from the definition of a reduced Groebner basis we 
get that also private keys of the form G — {51, . . . , g s }, where G is the reduced 
Groebner basis for / are also can be claimed as insecure, because we can apply 
out technique s times in order to be able to correctly decrypt valid ciphertexts. 
So, at this point only private keys of the form G = {51, . . . ,g s }, where G is 
not reduced Groebner basis for /, and s > 1, can give a hope on constructing a 
system not susceptible to chosen-ciphertext attacks. 

As a final remark we would like to note that the same principle can be ap- 
plied when cryptanalyzing the generalized (commutative) Polly Cracker cryp- 
tosystems (cf. section 2.1, [1]). 

3 Conclusion 

In this short note we have shown that newly proposed noncommutative Polly 
Cracker cryptosystem as it was worked through in [1] is susceptible to a chosen- 
ciphertext attack. This conceptually coincides with warnings stated in [4] as 
to using polynomial-based cryptosystems, and shows that more care should be 
put, when constructing such a system. 
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